Oct 22, 2007

Security Products & PCI Compliance

There's one compliance question that keeps raising its head - for every piece of hardware and software that's considered to be 'in scope' for an assessment. "Will this product make me compliant?" We've heard this through our advisory groups and discussions with information security pros, and compliance/risk management executives.

Fact: No product will make you compliant. But having an inadequate or misconfigured product can prevent you from achieving compliance.

That's not to say that product vendors are not scrambling to answer these questions from their customers with an affirmitive "yes! ACME's web application firewall will make you compliant." But then the hard part begins: First, by answering "HOW" specifically it does in a manner that will likely be convincing to assessors and card brands reading the reports on compliance. And secondly, by clearly articulating this message in a crowded, noisy marketplace of product vendors all claiming that their products will either make you compliant or help you achieve compliance.

The question should actually be broken into two distinct components:

1. Does this product have the features to support a compliant network environment? i.e. is it capable and appropriate for the use case?

2. Is this product properly configured and deployed according to PCI requirements?

If you have deep expertise and plenty of resources you can try to tackle question 1 on your own. And many Level 1 and 2 merchants do. Warning. It's a trickier endeavor than one might think. There are over 200 sub-requirements to the DSS and they are not necessarily all grouped around a particular product. e.g. you have security functionality, management features, update requirements, and procedures throughout. What has been missing up til now is a product-centric view of DSS requirements. This is where NSS Labs has come in with its partners and advisors to create a product validation scheme which addresses the requirements of PCI DSS. We are actively evaluating products against this standard and producing validation reports accordingly.

Regarding question 2, merchants and service providers are obligated to prove to assessors and their acquiring banks that they not only have the right products, but that they are configured properly. To this end, NSS Labs is including in its PCI reports several recommended configurations for various PCI deployments. For example, which settings in a UTM are necessary to deploy the product in a retail storefront? or what firewall configuration and policies are needed at the perimeter?

To be clear, only an assessor and ultimately the card brands can certify and validate a cardholder network as being compliant. NSS Labs' contribution is to provide independent, empirical validation of product suitability. We will be releasing the first reports imminently. Stay tuned.

We've heard from many corners of the industry that this is a good thing and merchants, assessors and banks are looking forward to seeing more and more products validated in this manner. What's your opinion? Let me know [ rmoy AT nsslabs DOT com ]